Alerts and legal analysis of legislative trends

Global News Roundup

From the U.S. Federal Trade Commission (FTC) to the Dutch Data Protection Authority (DPA), regulators are asserting themselves in consumer privacy issues. This Privacy Tracker weekly legislative roundup offers information on the FTC’s settlement with a flashlight app developer, as well as its plans for the upcoming year, and the Dutch DPA’s findings in its investigation of Google’s privacy policy. Meanwhile, the UK Information Commissioner’s Office announced that pending new pan-Europe legislation will result in significant budget losses, causing it to restructure; some are calling U.S. state attorneys general the most important privacy regulators in the country, and BC Information and Privacy Commissioner Elizabeth Denham is recommending the government amend the Freedom of Information and Protection of Privacy Act.

U.S.

Lawmakers See Amazon Announcement as More Reason for Drone RegulationThe Verge reports the recent announcement by Amazon’s founder Jeff Bezos that the company expects to make deliveries by drones in the near future has given Reps. Ted Poe (R-TX) and Zoe Lofgren (D-CA) and Sen. Ed Markey (D-MA) a new hook to push bills that would regulate drone use with respect to privacy. “The issue of concern, Mr. Speaker, is surveillance, not the delivery of packages. That includes surveillance of someone's backyard, snooping around with a drone, checking out a person's patio to see if that individual needs new patio furniture from the company,” Poe said in front of Congress this week.

CA Court of Appeals Limits Claims, Damages Under CMIA In keeping with previous data breach cases, the California Court of Appeal recently limited plaintiffs’ ability to state a claim and get statutory damages under the California Medical Information Act, reports Law360. The court ruled that “plaintiffs must plead and prove more than the mere allegation that a healthcare provider negligently maintained or lost possession of data but rather that such data was in fact improperly viewed or otherwise accessed.”The authors state the court relied heavily on “an analysis of the legislative intent behind Senate Bill No. 19.”

FTC Settles with Flashlight App DeveloperThe Federal Trade Commission (FTC) has settled with an Android flashlight app developer over charges that the app deceived consumers about how their geolocation information would be shared with advertising networks and other third parties. “Brightest Flashlight Free,” developed by Goldenshores Technologies, allegedly failed to disclose within its privacy policy that it transmitted users’ precise locations and unique device identifiers to third parties. The settlement, the FTC’s first based on location data, prevents the company from misrepresenting how it collects and uses consumer data and requires it to provide a just-in-time disclosure informing consumers of how their data is used and obtain express consent. Meanwhile, a study has found most mobile apps put privacy at risk. Mobile privacy is one of three focuses for the FTC in 2014.Full Story

Potential Settlement Over Alleged Data-Mining Without NoticeA recent filing indicates Comscore, which measures website traffic, will confer December 16 on settling a 2011 lawsuit alleging a privacy invasion, Bloomberg reports. In the group lawsuit, plaintiffs said the company installed data-mining software on their computers in order to collect user names, passwords and credit card numbers, the report states. The suit alleges the company did not disclose such practices in its online policies. The company has denied the allegations.Full Story

OCR Not Fully Enforcing HIPAA; Revisions Called ForA recent report from the Department of Health and Human Services (HHS) Office of Inspector General concludes the Office for Civil Rights (OCR) did not meet all of its enforcement and oversight requirements under the Health Insurance Portability and Accountability Act (HIPAA). According to FierceHealthIT, the report criticizes the OCR for not completing privacy impact assessments, among others, for two of three systems that oversee the Security Rule. Meanwhile, the Health IT Policy Committee has recommended HHS revise certain delayed plans to revamp the HIPAA accounting of disclosures rule and roll out pilot tests prior to implementing a final rule. Additionally, the Bipartisan Policy Center has issued a report stating that HIPAA is “misunderstood, misapplied and over-applied” and is burdensome toward improved patient care.Full Story

State AGs: The Most Important Regulators in the U.S.?The last year was an eventful one in the area of data and online privacy, with more laws, more enforcement actions and generally increased attorney general scrutiny. Given that we are not likely to see federal preemption of state authority in this area anytime soon—and that the Federal Trade Commission (FTC) is encouraging state action on data privacy—it remains critical that privacy professionals expand their focus beyond the FTC and data protection authorities to consider AGs, who are rapidly becoming the most important data privacy regulators around, write Divonne Smoyer, CIPP/US, and Aaron Lancaster, CIPP/US. In this exclusive for The Privacy Advisor, Smoyer and Lancasterlook back at 2013 to make predictions for the year ahead.Full Story

Where the FTC is Headed in 2014On Capitol Hill Tuesday, all four FTC commissioners testified before a House Energy and Commerce subcommittee to defend their regulatory role and ask for more authority in the rapidly developing digital economy. According to Politico, the commissioners faced tough questions from the Republican-dominated subcommittee on its current budget, resources and authority, but FTC Chairwoman Edith Ramirez said her agency is limited in its current authority and that baseline federal privacy legislation is needed. The scope of the FTC’s authority, the privacy issues with which it’s grappled and the day-to-day work of its staff on consumer privacy issues were also the focus during Wednesday’s IAPP Practical Privacy Series in Washington, DC, reports The Privacy Advisor , including remarks by Rep. Marsha Blackburn (R-TN) and FTC Bureau of Consumer Protection Director Jessica Rich. The FTC also last week announced it will host a set of three seminars to explore consumer privacy issues The first seminar, focusing on mobile device tracking, will be held in February.Full Story

Legal Reform Needed in U.S., Not Just Europe“I recall that in the early 1990s and early 2000s, it was often a struggle to get people outside of Europe to take EU data protection law seriously,” writes Wilson Sonsini Partner Christopher Kuner, adding, “The perceived lack of enforcement in the EU, and the dynamic legislative climate in the U.S., meant that more attention was given to U.S. developments.” But now, with the advent of the European Commission’s proposed General Data Protection Regulation, the situation is reversed and “U.S.-based lobbyists have descended in hordes on the EU institutions,” making Brussels “the center of the global privacy world.” In this Privacy Perspectives post, Kuner asks, “Why doesn’t the U.S. work as hard to improve its own privacy law as it does to lobby for changes in the EU?” He makes the case for why, when lobbying for privacy reforms, the U.S. should look in the mirror.Full Story

Google Wins Dismissal in Privacy Policy CaseGoogle has won its dismissal of a lawsuit challenging its privacy policy, which allows it to combine user data across its different products, Bloomberg reports. U.S. Magistrate Judge Paul Grewal ruled the plaintiffs failed to prove they had suffered losses as a result of Google’s actions, but he also ordered the plaintiffs can refile their claims. “A plaintiff must do more than point to the dollars in a defendant’s pocket,” Grewal wrote in his ruling. In order for the suit to move forward, the plaintiffs have to demonstrate how Google’s use of their data “deprived the plaintiff of the information’s economic value.”Full Story

ALEC Publishes Model Bill for State Education CPOsThe American Legislative Exchange Council (ALEC) is promoting amodel bill that would require state school boards to appoint a chief privacy officer and publish an inventory of student data collected by the state, among other requirements, reports Education Week. The bill was modeled after a recently passed Oklahoma law, and while other advocacy groups are praising ALEC’s efforts, they have expressed concerns about the lack of limits placed on noneducational use of the data. “Focusing on transparency and accountability is always a good start, but I’m not sure that (the ALEC model bill) is comprehensive in covering the education-technology landscape,” said Joni Lupovitz of Common Sense Media. Editor’s Note: The IAPP’s Privacy Tracker blog featured a post highlighting a similar model bill earlier this fall.Full Story

CANADA

Denham Calls for Amendment To Law; Ring Voices ConcernsCiting concerns that public entities are not doing enough to raise awareness of possible health, safety and environmental concerns, BC Information and Privacy Commissioner Elizabeth Denham is recommending the government amend the Freedom of Information and Protection of Privacy Act, Times Colonist reports. In a report released this week, Denham raises concerns that public bodies are not aware of or trained in their duty to inform residents of potential dangers. Separately, the CEO of a health research firm is cautioning that privacy concerns in BC limit researcher access to data for healthcare innovations. And in Newfoundland and Labrador, Information and Privacy Commissioner Ed Ring is concerned the province’s premier’s office “improperly withheld” documents related to search and rescue efforts.Full Story

EU

Draft EU Data Protection Package: A History and Look to the Finish LineReforming the outdated EU legislative framework governing data protection was always going to be a daunting task, but the Snowden revelations certainly haven’t made things easier. Nóra Ní Loideain examines in this exclusive for The Privacy Advisor the underpinnings of what has led to the EU Data Protection Reform’s current state and looks at whether the Greek or Italian presidencies will be able to push through a package that has so far eluded Denmark, Cyprus, Ireland and now Lithuania. Will it be done before the parliamentary elections in May? It’s now looking increasingly unlikely.Full Story

Pan-Euro Law Likely Means ICO RestructuringSC Magazine reports that pending new pan-Europe legislation will decrease revenues for the UK Information Commissioner’s Office (ICO), meaning that it will likely change the way it handles casework and enquiries. An ICO spokesperson says this will allow the office to “identify and address wider compliance issues, and only where appropriate, to address individual concerns.” A consultation document titled “Looking Ahead, Staying Ahead: Towards a 2020 Vision for Information Rights” outlines the planned changes to the regime, including coordinating more with other organisations and regulators, the report states. The consultation is open for comment through 7 February.Full Story

Dutch DPA Says Google Policy Violates LawDutch Data Protection Commissioner Jacob Kohnstamm has found Google’s privacy policy “violates data protection law by spinning an ‘invisible web’ with users’ personal data without their consent,” Bloomberg reports. Kohnstamm said the policy, which combines Internet users’ data from various Google services, is “forbidden by law.” He added that he will decide on possible penalties after a hearing with the company. Google says its privacy policy “respects European law” and allows it to create “simpler, more effective services.” Meanwhile, Germany’s SAP has rejected politicians’ calls for European IT firms to band together following U.S. NSA spying revelations, saying the plan would be “doomed to fail from the outset.”Full Story

Member States Need More Time with Regulation ProposalBloomberg reports the EU’s data protection overhaul faces months of delays after some member states have demanded more time to sign off on a law that would fine companies as much as 100 million euros for privacy violations. An anonymous EU official said the measures are unlikely to pass before European Parliament elections in May, noting the measure is “too complicated and sensitive” for member states to reach a deal this week. “If there’s not the necessary political will, the whole regulation is at risk,” said MEP Jan Philipp Albrecht.Full Story

Report: Developing Countries Need Privacy Laws To Bridge the GapUN trade and development body Unctad has released a report stating developing countries need to “adopt and enforce privacy and data protection laws” in order to bridge the “digital divide” that has arisen as a result of cloud computing. The Guardian reports that as of 2013, 101 countries had data privacy laws or bills, but only 40 developing economies could say the same. While the cloud provides many benefits, such economies must also be aware of the risks. Privacy International’s Carly Nyst said in developing countries, the absence of privacy laws and “weak accountability mechanisms” means cloud data is vulnerable, and no government or company should promote cloud services before ensuring privacy.Full Story

ASIA PACIFIC

Australian Privacy Amendments Carry Big PenaltiesIn a feature for Mondaq, David Grace of Cooper Grace Ward advises businesses dealing with personal information to prepare to comply with Australia’s new privacy amendments. Noncompliance, he writes, carries the risk of “penalties of up to $1.7 million for breaches by corporations and up to $340,000 for breaches by individuals.” Grace continues on to describe how the Privacy Amendment (Enhancing Privacy Protection) Act 2012 “essentially rewrites the existing privacy laws,” citing the introduction of the 13 Australian Privacy Principles for the handling of personal information among other facets of the amendments and offers tips for compliance. The amendments will come into effect on 12 March.Full Story

ALRC Examines Right To Be Forgotten; Privacy TortThe Australian Law Reform Commission (ALRC) is examining a "right to be forgotten” and “right and to erasure," News.com.au reports, noting “privacy groups are demanding the right to censor other people's posts as well, if they are embarrassing or defamatory.” However, Prof. Barbara McDonald, head of the ALRC review, noted such rights would only apply with consent. “Where a person has given consent for something to go up on Facebook, they should be able to withdraw that consent,” she said, adding, “We can't give people the right to erase history.” Meanwhile, the nation’s mainstream newspaper publishers are refusing to assist the ALRC’s efforts to design a statutory privacy tort.Full Story

New Zealand Official Welcomes Draft FATCA LegislationInland Revenue (IR) has released draft legislation to facilitate compliance with U.S. Foreign Account Tax Compliant Act (FATCA) regulations, Voxy reports, quoting PwC New Zealand FATCA Director Henry Risk, who said, "We welcome the release of the proposed legislation by IR and the New Zealand Government. It offers a solution to the Privacy Act issue.” The legislation will allow New Zealand financial institutions to meet FATCA reporting obligations without breaching the Privacy Act, the report states.Full Story

Commissioner Rules Fitness Center Collected Excessive DataCalifornia Fitness has been fined by Hong Kong Privacy Commissioner for Personal Data Allan Chiang for breaching privacy law, South China Morning Post reports. Following an investigation, Chiang’s office found the fitness chain put 220,000 customers’ personal details at risk by asking them to provide too much personal information and by storing copies of their identity cards. A data leak could have led to identity theft, Chiang said. “It is irresponsible for organizations to collect (detailed personal) data for identification and authentication purposes without seriously assessing the risk … of using alternative and less privacy-intrusive means.” (Registration may be required to access this story.)Full Story

Written By

Emily Leach, CIPP/US

0 Comments

If you want to comment on this post, you need to login

Related

With 291 cosponsors, the Email Privacy Act, which would modernize the 1986 Electronic Communications Privacy Act (ECPA), is in a position to bypass debate and move straight to approval, Multichannel reports. "When ECPA was written, the Internet as we understand it did not exist," said Rep. Kevin Yoder (R-KS), author of the Email Privacy Act. "Only 340,000 Americans even subscribed to cell-phone service. Mark Zuckerberg was only two years old. But as our society and technology has evolved, our di...
Read more

Erick Iriarte of Iriarte & Asociados writes for Privacy Tracker about a new law decreed by Peru’s executive branch under delegated powers. The law requires telecommunications companies to collect and retain consumer geolocation data and make it available to law enforcement without a warrant. According to the decree, its purpose is to “regulate the access of the specialized unit of the National Police of Peru, in cases of flagrante delicto, to the location and geolocation of mobile phones or ...
Read more

The Wall Street Journal reports on a partnership between Google and Silent Circle, the maker of a privacy-centric Blackphone. Through this partnership, the next version of the Blackphone will come equipped with Google’s Android for Work software, which allows users to compartmentalize personal and professional use and also “collects huge amounts of user data to sell advertising,” the report states, asking, “So why would Silent Circle, which is intensely concerned with privacy, team up with the l...
Read more

A white-hat hacker has discovered a vulnerability in the mobile app for General Motors’ (GM’s) OnStar vehicle communications system that can permit hackers to "locate, unlock and remote-start" participating cars, Reuters reports. In response, General Motors is developing a patch for the bug that is “days away” from release and working to quell fears. "We believe the chances of replicating this demonstration in the real world are unlikely,” said GM’s Terrence Rhadigan. “In addition, the action in...
Read more

Experts say that while incredibly promising, the Internet of Things brings with its advent much to consider, The Guardian reports. “Just imagine smart meters, which are great for reducing energy use and shrinking bills,” said KPMG’s Mark Thompson, CIPP/E, CIPM, CIPT. “You could have the energy regulator, Ofgem, involved as well as Ofcom, because the data’s going over a broadband connection. Then, because there’s data involved, the Information Commissioner’s Office is bound to have an interest.” ...
Read more

Tags

The IAPP is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, support and improve the privacy profession globally.Learn more

The IAPP is the only place you’ll find a comprehensive body of resources, knowledge and experts to help you navigate the complex landscape of today’s data-driven world. We offer individual, corporate and group memberships, and all members have access to an extensive array of benefits.